Nowadays you can find different types of info about conspiracy theories and surveillance techniques that are used by malicious websites and ISP’s to spy on you. Many online sources (including Edward Snowden docs) present heavy proof of such activities.

Luckily, we all can use VPNs – ultimate protection against that. A lot of Internet users know what VPNs are and many even may have used it once or twice. If you are a frequent VPN user, you might have come across different VPN implementations trying to find the best option.

There are a great variety of VPNs and it can be challenging to choose the correct one, especially if you’ve just been introduced to the technology. In this article Privatoria‘s network security experts cover the most popular implementations that you can find both on the web and explain what VPN protocols are secure.

PPTP

Point-to-Point Tunneling protocol is probably the oldest one around. Introduced by Microsoft back in 1999, it has quickly become the security standard for business communications over dial-up networks. This is a pure VPN protocol, meaning it needs to use different encryption algorithms to offer security.

PPTP is now the standard VPN implementation on any computing platform you can think of. It does not require any additional software, which makes it a popular choice for businesses and VPN providers. It also runs pretty fast if you are using modern Internet connection techniques (considering it was designed for dial-up).

Even though PPTP uses 128-bit encryption keys now, we can not ignore its known flaws, with the MS-CHAPv2 encryption algorithm being the most common. Back in the day it was the default choice for this VPN implementations. Unfortunately, an authentication vulnerability was found which made it possible to crack the encryption in 48 hours.

The flaw has since been patched (using PEAP authentication). Many users and VPN providers, however, are still not aware of this and could be using old authentication methods today. This is why most security experts would advise you to stay away from PPTP.

L2TP/Ipsec

Layer 2 Tunnel Protocol is essentially only a channel for transferring data. It does not provide any encryption or security. In order to fix that Ipsec was combined – a bundle of encryption tweaks and ciphers.

L2TP/Ipsec VPN implementation is as common as PPTP, you can find it built-in on major desktop and mobile platforms, meaning it’s easy to install and configure, but there might be some problems for those users connecting to a VPN from behind an NAT firewall (it uses the UDP port 500 to establish connection and UDP 4500 for data transfer which can be blocked by a firewall). Fixing such issues requires configuring port forwarding (unlike SSL with TCP on port 443 which can disguise itself as standard HTTPS traffic). This might scare some users away.

Ipsec encryption suite has no major vulnerabilities and can be safely used if configured correctly. Documents leaked by Edward Snowden has given us some disturbing hints that serious efforts were made to crack it (weakening the method during development stages among other things).

Speed being the last thing. Taking into account that you are using two separate services to process and encrypt your data, you might notice it’s not as fast as SSL-based solutions.

OpenVPN

This is probably the most popular VPN implementation in the recent years. It is completely open source and it also uses Open SSL and SSLv3/TLSv1 protocols along with a bunch of other security tricks to offer a strong VPN solution.

OpenVPN is a highly configurable VPN implementation. You can apply a great variety of tweaks to it to fit your needs. For example, it uses UDP by default but can be easily configured to use TCP port 443 (useful if you need to bypass a firewall).

OpenSSL is another great feature of OpenVPN. It provides support for a great variety of encryption algorithms including AES, Blowfish, 3DES and some others not so widely known. Most VPN providers offer either Blowfish or AES support. Blowfish has some known vulnerabilities which have been pointed out even by its creator.

AES is a relatively new encryption cipher which has no known weaknesses. It is also used by the US government for data protection which makes it a must-try for anyone who values their data and privacy. Its 128-bit block size (compared to Blowfish’s 64-bit) aids to handle larger files (over 1 GB) better.

OpenVPN is generally faster then Ipsec (regardless of the encryption level). It has also become a widely used VPN implementation despite no native support on any platform. Setting up the OpenVPN can be tricky at times, not only does it require you to install extra software but you also need to supply configuration files with all of the settings (although there are some VPN clients that let you set things up manually).

Privatoria fully supports OpenVPN and AES encryption ciphers. You can also get a configuration file for your platform with a simple mouse click in your Privatoria control panel. Among other things, OpenVPN has also been described as reliable by Edward Snowden (most likely due to its Open Source nature).

SSTP

Secure Socket Tunneling protocol is yet another Microsoft brainchild. SSTP makes up for every flaw that PPTP has and offers similar to OpenVPN benefits including ability to use TCP port 443 (because of the use of SSLv3).

There is one major problem though in that it is supported on different platforms. As of now, SSTP can be considered stable only in a Window’s environment which makes it the best choice for Windows users and pointless choice for others. It has, however, been ported to Linux so you can give it a shot if you want (beware! it can be unstable).

The last point you have to keep in mind is that this standard is proprietary and owned by Microsoft which means no independent expert can really test it . There’s also no chance you can check this thing for backdoors.

Where it excels:

– strong security (usually AES ciphers)

– full Windows integration starting from Windows Vista

– support from Microsoft

– can bypass firewalls

Where it falls short:

– reliable work is guaranteed only in Windows environment

– proprietary standard which cannot be audited for backdoors

IKEv2

Internet Key Exchange (version 2) is a tunneling protocol based on Ipsec, developed by Microsoft and Cisco. It offers, among other things, exclusive support for Blackberry devices. Even though it was originally a proprietary standard, you can now find multiple implementations which makes this thing interesting and worth getting into.

Other useful feature of IKEv2 is that it can automatically re-establish a lost connection (it helps you out when, for some reason, you loose Internet connection and forget to reconnect to the VPN after you’re back online).

Mobile users can get the most out of this feature as they may change their network a couple times a day. For most, it would be inconvenient to reconnect to a VPN each time they connect to a new network. IKEv2 is also fast and reliable, at least as fast and reliable as L2TP/Ipsec implementation.

Where it excels:

– As fast and sometimes faster than PPTP, SSTP and L2TP (because it does associate itself with Point-to-Point protocols)

Encryption and Ciphers

All of the above numbers look really good when you read them but what does it actually mean? Well, here are few examples:

– a 128-bit key cipher basically consists of zeros and ones but there are so many of them that it may take around 1 billion years to crack it using so-called “brute force” and a super computer.

– a 256-bit key would require two times more power to break than 128-bit one. It goes without saying that even with the best computer in the world it will take forever and even longer.

Encryption key length is basically a raw amount of numbers. To actually perform encryption, you also need a cipher (mathematical operation). As of 2015, AES is an optimal cipher used by most VPN providers. RSA is also used to encrypt and decrypt cipher’s keys. SHA1 or SHA2 hash functions are used to authenticate data. AES is also used by the US government which makes it even a more attractive cipher choice.

So what do we get out of all this?

VPN technology is not a cutting-edge solution but according to Edward Snowden, it still performs pretty well and can provide decent protection if properly configured. OpenVPN is the most popular implementation right now. It is available on virtually any platform via extra software and takes little to no time to configure if you have the configuration file. L2TP/Ipsec is also a decent solution that would fit you well if you do not want to install extra software on your machine.